我有一个由Ajax激发的简单php代码,用于检查输入的密码是否正确。现在,对于这个功能,我还想在5次登录失败后阻止登录10秒。
这是代码本身:
//Beforehand I started the session, and connected the $link to the mysql database
if(!isset($_SESSION['lim'])){
$_SESSION['lim'] = 5;
}
$p = $_POST['text']; //I WILL TAKE CARE OF VALIDATION LATER
//All of the passwords will be crypted, and the variable will be
//validated. Just after I'm done with this system.
if($_SESSION['lim']>0){
$result = mysqli_query($link, "SELECT id FROM passwd where pass = '".$p."' ;");
if( mysqli_num_rows($result) > 0){
echo 1;
$_SESSION["passed"] = "true";
}else{
echo 0;
--$_SESSION['lim'];
}
}else{
echo 2;
if(!isset($_SESSION['blockTime'])){$_SESSION['blockTime'] = time();}
}
if(($_SESSION['lim'] == 0) && (time() - $_SESSION['blockTime'] > 10)){
$_SESSION['lim'] = 5;
}
问题是代码在5次尝试后没有完成阻塞部分。现在,问题本身很可能位于以下位置:
if(($_SESSION['lim'] == 0) && (time() - $_SESSION['blockTime'] > 10)){
$_SESSION['lim'] = 5;
}
因为如果没有这一部分,阻塞就可以正常工作(除了在10秒后不启用登录)。if语句似乎每次都会执行,而不是只在lim为空并且已经过了10秒时执行。
这里可能有什么问题,我如何使if正常工作
您的代码中有问题。最后一个--$_SESSION['lim'];
使其为零,但它没有将$_SESSION['blockTime']
设置为time()
,因此…当在中进行比较时
如果(($_SESSION['lim']==0)&;(时间()-$_SESSION['blockTime']>10)){$_SESSION['lim']=5;}
它永远是真的,所以计数器恢复了它。
为了避免这种情况,只需添加´$_SESSION['blockTime']=time();´每次减去一次尝试。
if(!isset($_SESSION['lim'])){
$_SESSION['lim'] = 5;
}
$p = $_POST['text'];
if($_SESSION['lim']>0){
$result = mysqli_query($link, "SELECT id FROM passwd where pass = '".$p."' ;");
if( mysqli_num_rows($result) > 0){
echo 1;
$_SESSION["passed"] = "true";
}else{
echo 0;
--$_SESSION['lim'];
$_SESSION['blockTime'] = time();
}
}else{
$_SESSION['blockTime'] = time();
}
if(($_SESSION['lim'] == 0) && (time() - $_SESSION['blockTime'] > 10)){
$_SESSION['lim'] = 5;
}
测试和工作。
总而言之,请审查关于注射和暴力的评论非常重要。
希望它能有所帮助!
当您重新初始化时,请确保重置您的blockTime变量:
if(($_SESSION['lim'] == 0) && (time() - $_SESSION['blockTime'] > 10)){
$_SESSION['lim'] = 5;
unset($_SESSION['blockTime']);
}